Posted
by
samzenpus
on Thursday November 29, 2012 @05:07AM
from the will-this-be-on-the-test? dept.

theodp writes "Forget about 'snow days' — the kids in the Lake Washington School District could probably use a few 'virus days.' Laptops issued to each student in grades 6-12 were supposed to accelerate learning ('Schools that piloted the laptops found that students stayed engaged nad [sic] organized whiel [sic] boosting creativity,' according to the district's Success Stories), but GeekWire reports that a computer virus caused havoc for the district as it worked its way through the Windows 7 computers, disrupting class and costing the district money — five temporary IT staff members were hired to help contain the virus. Among the reasons cited for the school district's choice of PCs over Macs were the proximity to Microsoft HQ (Redmond is in the district), Microsoft's involvement in supporting local and national education, and last but not least, cost. In the past, the Lake Washington School District served as a Poster Child of sorts for Microsoft's Trustworthy Computing Group."

The trust is for the media cartels. They don't trust users not to copy their media, so Microsoft sold them the idea of computing they could trust.

The "End to End Trust" initiative is all about this - removing the computer's trust that it's owner should have control, and handing that trust to the people with the root signing keys - Microsoft will become indispensable to the entire Windows software ecosystem. The ultimate rent-seeking behaviour.

Wait...Windows 7-Ready hardware, Windows 7 Licensing Costs AND 5 additional IT-employees and they choose Microsoft because "it costs less"?! I seriously need to get a job in the public sector, seems like they can jack off all day or something.

Among other things, TFA implies that this is because they were using 'PCs instead of Macs' [sic].

While it's true that OSX has way less malware than Windows, the main cause of malware infections is the users who click anything that's offered to them without thinking.You can hide behind less popular operating systems, but the sad truth is that the average computer user simply can't handle the freedom of being able to do whatever they want, without messing things up.

So the solution is better tech education or--the cheaper way--locking things down. Both MS and Apple are doing it in their mobile OSs and they're starting to implement this in their desktop OSs as well.

Of course, the IT could also have locked Windows down with Group Policy and SRP, so that it would be pretty much impossible to install anything (unless reinstalling the OS).Instead, they relied on some crappy antivirus (Sophos) and I wouldn't be surprised if the users were given admin rights as well.

I'm not a Microsoft fan at all (and they might have played dirty to get the school to use Windows), but the real story here is IT staff incompetence and the poor education of the average computer user.

Hire COMPETENT IT staff to begin with? Honestly, what kind of amateur hour school is this? having to hire temp IT staff to deal with it, really? how about actually staffing your departments properly and with competent staff?

I have given my kids restricted user accounts on their Windows computers and so far they haven't managed to infect the computers. Setting up a Windows machine with restricted accounts, Foxit reader as PDF reader, Chrome as web browser and flash block plugin installed has done the trick for me so far.
For the same price as a Mac I get a PC + iPad + spare change.

Depends which drugs. Cannabis? Not so bad. Crack cocaine or meth? Hell yes!

"Kids are locked in prisons all day without any freedoms or rights"

Oh get over yourself. Kids are made to go to school because if left to their own devices 90% of them would learn NOTHING. And kids DON'T have the same rights as adults so stop sulking about it just because you probably didn't like school much.

"totally unnecessary activities such as gym/exercise/art/music/computers/and other classes that are non-essential."

Yeah , I mean who wants a country full of fat bastards with heart disease to get fit. I'm mean thats just cruel isn't it? As for other stuff, peh! Learning, who needs it eh when you can be a troll on slashdot all your life instead?

"setting up the school day for non-learning and/or non-critical life activities and then requiring every student to participate in them is wrong."

No, it isn't. But perhaps when you become an adult you'll realise why.

There used to be this expression "no-one ever got fired for buying IBM". Buy IBM, and you're safe; if it still breaks you can always say "well I went with what everybody does, what is generally considered a good choice, so I did the best I could". By buying some no-name brand, or brandless hardware, you don't have this excuse. Then it's instantly your responsibility.

Same for Microsoft vs Linux. Linux is "that hacker platform" while Windows is "what all businesses use". It's the safe choice - from a job security pov. We know Linux is statistically more stable and secure than Windows, but if it goes wrong, it's the fault of the guy going for the alternative, off the beaten track, and insisting of going against what the rest of the world does.

Or for the obligatory car analogy: Linux is the self-driving car that reacts faster, is more alert, won't speed, stops for red lights, and has a perfect accident record, while Windows is the human driven car. When one of the human drivers has yet another accident, that's too bad, humans aren't perfect. When the self-driving car has an accident, that's a disaster, totally unacceptable and why isn't there a human at the wheel paying attention to correct those mistakes.

Before we blame the IT staff, let me give this some perspective. (I have nine years experience as a teacher & tech director in a public K-12 US school.)

First, I'm reasonably confident in saying that, if proper Group Policy was implemented and user restrictions put in place, this never would have happened. Second, this is a HUGE school district with over 50 schools. They can certainly afford a public liaison (who was speaking on behalf of the district in the local broadcast), and I'm sure they have a large IT staff...I'm guessing in the neighborhood of 20-30 employees. Though public school districts would pay less than Microsoft right next door, given the sheer numbers there must be at least a few people on that staff that know how to accomplish this and as well of its value in preventing this sort of mess from happening.

With that in mind, here's what I've concluded: There is likely someone with leadership authority who told IT staff to let students manage their own laptops and have admin privileges. Given the size of the district, the directive either came from the district technology committee, or directly from the superintendent, school board, or both. All it would take is a number of parents to ignorantly complain to a "friend on the board" that "Johnny's laptop is broken - he can't install the programs he needs to do his homework" for the school board to direct the superintendent to "fix the issue." Likely this was a top-down order; I simply cannot imagine a tech staff that large to be that incompetent on their own.

What bothers me about this is how they're going about trying to fix the problem. If I had a worst-case mass-deployment of a virus at my school, I would just recall all the equipment, reimage everything, and redeploy a week later. I would issue a directive to all the staff that the equipment is down for one week to be cleaned, and make due without it. It's either one week of downtime or months of unreliability. If teachers would know that they have the option of either the problem being fixed in a week or the problem being "managed" over months, they would all take the week's downtime in a heartbeat.

One other question I have for those here: have you ever encountered a Windows virus that, as they claim, just "spreads on the network" without user initiation of the virus by clicking on an executable, script, or loading an infected webpage? I think the much more likely scenario is that this virus is being spread through usb flash disks, but I'm not sure whether that explanation was too technical for staff to understand.

The premise-- that Macs somehow are immune to viruses-- is utterly ridiculous. Was everyone sleeping when each of the last several years' Pwn2Owns resulted in OSX falling first (I think that this year they did better)? Was everyone sleeping when Flashback hit and everyone was astonished that OSX has bugs just like every other computer program on the planet?

If they had a rampant virus despite having antivirus and filters, then I know several things: They were granting admin privileges to the users and / or their AV utterly sucks (what kernel-mode antivirus gets thwarted by userland viruses?); they dont have a functional update system; and their network controls are inadequate.

I would note that, even if the premise were correct ("Macs dont ever have malicious programs"), this incident would demonstrate that the infrastructure simply wasnt there-- if youre giving very young, possibly irresponsible kids network access with semi-controlled devices, it behooves their IT department to make sure one clever and devious kid cant bring everything down. This demonstrates that they havent thought that through. I recall when my college got hit by Blaster, the IT staff started blocking MAC addresses that were infected. This was about 10 years ago; theres no excuse for not having similar capabilities now, not when there are so many low-cost managed switches out there.

And mine have full blown admin rights for their own PCs. How else are they going to learn about all the nasties on the internet? Better they make the fuck-ups today, when their machines aren't doing anything important, then when they turn into adults with credit cards, bank accounts and other meaningful online accounts.

. These days almost every single exploit that hits a windows box uses a cross platform plugin.

Windows, with the history it has, has a number of highly sophisticated tools at detecting them; and Macs do not, and it is thus likely that any such infections would be completely unnoticed?

These are what is known as hypotheses. The problem is, there are a crap-ton of security researchers who actually look at these numbers, and both have been disproved. Most malware still doesn't have a cross platform component, either by numbers of infection or by variant. The infection rate of a random sampling of Macs inspected by security experts always finds a much lower infection rate by a huge margin.

Maybe to help explain this phenomenon you should wander over to a security convention like Blackhat or Defcon. Count the number of security experts with Macbooks versus other devices. Notice a trend?

Wait...Windows 7-Ready hardware, Windows 7 Licensing Costs AND 5 additional IT-employees and they choose Microsoft because "it costs less"?! I seriously need to get a job in the public sector, seems like they can jack off all day or something.

I know it is fashionable to rail on government spending as wasteful in all circumstances, but this attitude always pisses me off.For every government project that goes over-budget or delayed, there is a corporation happily cashing the checks and under-delivering. That's where the problem is.

Unlikely. As with everything in modern American public education (well, anything in a major American organization, public or otherwise), decisions are made based on how little something costs RIGHT NOW as opposed to how much it will cost in the long run, and any attempt to build infrastructure to support a new initiative is met with "that's so much money, we'll just cross that bridge when we come to it if it's a problem." Handing out tens of thousands of Windows-based laptops (especially with Redmond's subsidy for OS cost) may be cheaper up-front, but bringing in that many laptops requires substantial infrastructure to handle the 'side benefits' of Windows, namely the need for strong antivirus solutions and the most restrictive group policies that are possible that still allow the students to log into their laptops. I can guarantee you that at one point as this program was being developed the following conversation, or one very much like it, happened:

Tech: "We need to take security measure X, because Y."Suit: "How likely is Y to happen?"Tech: "Hard to say, exactly, but it's possible, so we should do X. It will require additional effort Z, but it's a fair trade."Suit: "And how much will Z cost us?"Tech: "Well, it will probably generate additional help desk traffic."Suit: "Work around it, help desk traffic costs money."Tech: "If we do that, and Y happens, the entire network could be trashed and we'll have to hire (expensive) additional staff to fix things, and we could potentially be down for weeks or months."Suit: "Ehh, that'll probably never happen. Do the workaround."

I'm guessing in this case the students were required to have privileged accounts on their laptops because of shitty software that doesn't install correctly in userland.

You were the last compentent person to touch their system. The only one who knew how to make changes. They know they changed nothing. How could this problem exist, it requires a change to have been made?

Computer Voo Doo. It has to be the change you made 2 years ago that caused the virus today.

Ah, Voo Doo, I know thee well. Many of my customers have claimed I have practiced the art.

Dunno, but you sure as hell can remove every browser from Linux and it'll still function fine. Why does Windows need IE dlls at all?

"your driver "processes" in OSX run with kernel privileges."

Dunno, but in linux system daemons run under all sorts of users. eg apache, smmsp, daemon. They don't all need to run as root.

"you generally dont want a normal user launching a program that runs with root, and Windows already has a method of stripping privileges from a process."

Generally they fire up with root privs, carry out a few tasks then setuid() to something innocuous. But if you're really worried then google "chroot" , its something thats been around since the year dot in unix which Windows still hasn't got. Also SE Linux has lots of extra stuff.

Unix started out with security built in , Windows was a free for all desktop OS thats been upgraded piecemeal over the years and it shows.